Using Oracle Data Redaction with the Continuous Compliance Engine (KBA10761)
KBA
KBA#
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Date Release Jan 25, 2024 19.0.0.0 Dec 20, 2023 | Jan 10, 2024 18.0.0.0 | 18.0.0.1 Nov 21, 2023 17.0.0.0 Oct 18, 2023 16.0.0.0 Sep 21, 2023 15.0.0.0 Aug 24, 2023 14.0.0.0 Jul 24, 2023 13.0.0.0 Jun 21, 2023 12.0.0.0 May 25, 2023 11.0.0.0 Apr 13, 2023 10.0.0.0 | 10.0.0.1 Mar 13, 2023 | Mar 20, 2023 9.0.0.0 | 9.0.0.1 Feb 13, 2023 8.0.0.0 Jan 12, 2023 7.0.0.0 Releases Prior to 2023 Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0, 6.0.17.0, 6.0.17.1, 6.0.17.2
5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
Using Oracle Data Redaction with the Continuous Compliance Engine
This article provides informaiton on the impact of the Oracle Data Redaction feature on Continuous Compliance Engine Masking Jobs.
Overview of the Oracle Data Redaction feature
Oracle Data Redaction is an Oracle feature provided in the DBMS_REDACT
package which can be used to redact data before transmitting it to users or applications.
For example, applying the following policy will replace the first 5 digits of the SSN
column with the letter X:
BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'hr', object_name => 'employee', column_name => 'employee_ssn', policy_name => 'mask_employee_ssns', function_type => DBMS_REDACT.PARTIAL, function_parameters => 'VVVFVVFVVVV,VVV-VV-VVVV,X,1,5', expression => '1=1'); END;
A user with SELECT
permissions may see redacted data when querying the employee
table:
employee_id | employee_ssn |
1 | XXX-XX-1567 |
2 | XXX-XX-8195 |
Users who also have the EXEMPT REDACTION POLICY
privilege, including as the sys
user, will see the original unredacted data:
employee_id | employee_ssn |
1 | 613-00-1567 |
2 | 476-00-8195 |
This feature was introduced in Oracle Database 12c, and is described in Oracle's Advanced Security Guide and DBMS_REDACT documentation.
Impact of Oracle Data Redaction on Profiling jobs
Database users used as part of Profiling jobs should be granted the EXEMPT REDACTION POLICY
privilege or be excluded from redaction as part of the filter expression.
If the database user is not exempt from redaction and the Oracle Data Redaction feature is in use, Profiling jobs may be impacted in the following ways:
- Profiling jobs that use Type Expressions, including the Standard Profile Set, may fail to correctly classify redacted data.
- Profiling jobs that use the Automated Sensitive Data Discovery (ASDD) Profile Set may fail to correctly classify redacted data.
Profiling jobs that use Legacy Profile Sets will classify columns using the column names instead of row data and will be unaffected.
Impact of Oracle Data Redaction on Masking Jobs
Database users used as part of Masking jobs should be granted the EXEMPT REDACTION POLICY
privilege or be excluded from redaction as part of the filter expression.
If the database user is not exempt from redaction, and the Oracle Data Redaction feature is in use, Masking jobs may be affected in the following ways:
- If the Data Redaction policy creates identical data for two inputs (masking "Ken" and "Karen" as "K****"), a Masking Algorithm may mask both values to the same output. This will create more duplicate values than expected and may violate uniqueness constraints.
- If the Data Redaction policy randomizes data (such as using the
DBMS_REDACT.RANDOM
redaction function), a Masking Algorithm may unexpectedly create different masked output each time it is run. - If the Data Redaction policy changes the way data is presented (masking "12345" as "12***"), some Masking Algorithms may attempt to write unexpected characters back to the database, resulting in data type violations or unexpected results when using the masked data.
Impact of Oracle Data Redaction on Masked Databases
Oracle Data Redaction policies are not modified by the Continuous Compliance Engine and will still be present on databases after a Masking Job is completed. Any data returned by these policies will be based on the data modified by the Masking Job, instead of the original unmasked values.
Once sensitive data has been masked by a Masking Job, Data Redaction policies which affect these columns may no longer be required. These rules can be removed, depending on your business requirements for the masked database.
In many cases, it will be desirable to keep these Data Redaction policies in place, so that application and database behavior is consistent between the original and masked copies of the database.
Related Articles
The following articles may provide more information or related information to this article:
- Oracle document: Oracle Data Redaction
- Oracle document: Advanced Security Guide
- Oracle document: DBMS_REDACT
- Using SQL Server Dynamic Data Masking with the Continuous Compliance Engine (KBA10534)